The TinyNav plugin accepts form submissions without validating the request source, permitting an attacker to forge a request that creates or modifies content on the site. The forged request triggers the plugin’s XSS handling, resulting in stored cross‑site scripting that can execute arbitrary JavaScript in the browsers of site visitors. The weakness is a classic CSRF flaw (CWE‑352) that can compromise confidentiality and integrity by injecting malicious code.

All WordPress sites that have the Beee TinyNav plugin installed with version 1.4 or earlier are affected. This includes any publicly accessible WordPress installation that uses the plugin for navigation controls. Users who have administrative or editor‑level access to those sites are potential targets because the vulnerability requires the victim to submit forged requests while authenticated.

The CVSS score of 7.1 indicates high severity, though the EPSS score is below 1 % and the vulnerability is not currently listed in CISA’s KEV catalog, suggesting limited public exploitation. The attack vector is inferred to be through a standard web form or URL request that an authenticated user is tricked into sending, so a malicious link or embedded script hosted elsewhere could trigger it. The combined effect of CSRF and stored XSS allows attackers to deface content, steal credentials from visitors, or distribute malware, making the risk high for sites with public access and uncertain exploitation likelihood based on current EPSS.